Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of Internal Auditors

Transcription

1 1 MAPPING DOCUMENT CLARIFIED STATEMENT ON AUDITING STANDARDS USING THE WORK OF INTERNAL AUDITORS This mapping document demonstrates how the material in extant AU section 322, The Auditor s Consideration of the Internal Audit (AICPA, Professional Standards), has been reflected in the clarified Statement on Auditing Standards (SAS) Using the Work of or other clarified SASs. Highlighted material identifies material eliminated as a result of clarity redrafting. The Auditing Standards Board believes that the remaining material represents the concepts of these extant AU sections included in the clarified SAS, but whose exact wording has been redrafted in the clarity format to be more concise and less prescriptive. Sentences and s that contain lead-ins, an overview, examples, or citations of requirements in other standards may not have been included. s are provided when appropriate..01 The auditor considers many factors in determining the nature, timing, and extent of auditing procedures to be performed in an audit of an entity's financial statements. One of the factors is the existence of an internal audit function. fn 1 This section provides the auditor with guidance on considering the work of internal auditors and on using internal auditors to provide direct assistance to the auditor in an audit performed in accordance with generally accepted auditing standards (GAAS). 1 Roles of the Auditor and the Page 1 of 13

2 2 Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of.02 One of the auditor's responsibilities in an audit conducted in accordance with GAAS is to obtain sufficient appropriate audit evidence to provide a reasonable basis for the opinion on the entity's financial statements. In fulfilling this responsibility, the auditor maintains independence from the entity. [Revised, March 2006, to reflect conforming changes necessary due to the issuance of SAS No. 105.].03 Internal auditors are responsible for providing analyses, evaluations, assurances, recommendations, and other information to the entity's management and those charged with governance. To fulfill this responsibility, internal auditors maintain objectivity with respect to the activity being audited. [Revised, April 2007, to reflect conforming changes necessary due to the issuance of SAS No. 114.] A2 Obtaining an Understanding of the Internal Audit Function.04 An important responsibility of the internal audit function is to monitor the performance of an entity's controls. When obtaining an understanding of internal control, fn 3 the auditor should obtain an understanding of the internal audit function sufficient to identify those internal audit activities that are relevant to planning the audit. The extent of the procedures necessary to obtain this understanding will vary, depending on the nature of those activities..05 The auditor ordinarily should make inquiries of appropriate management and internal audit personnel about the internal auditors' a. organizational status within the entity. b. application of professional standards (see.11). c. audit plan, including the nature, timing, and extent of audit work. d. access to records and whether there are limitations on the scope of their activities. A1 Also addressed by 24 of AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. Addressed by 6 of the proposed SAS and related application guidance of the conforming amendment to AU-C 315, as well as existing 24. Page 2 of 13

3 3 In addition, the auditor might inquire about the internal audit function's charter, mission statement, or similar directive from management or those charged with governance. This inquiry will normally provide information about the goals and objectives established for the internal audit function. [Revised, April 2007, to reflect conforming changes necessary due to the issuance of SAS No. 114.].06 Certain internal audit activities may not be relevant to an audit of the entity's financial statements. For example, the internal auditors' procedures to evaluate the efficiency of certain management decisionmaking processes are ordinarily not relevant to a financial statement audit..07 Relevant activities are those that provide evidence about the design and effectiveness of controls that pertain to the entity's ability to initiate, authorize, record, process, and report financial data consistent with the assertions embodied in the financial statements or that provide direct evidence about potential misstatements of such data. The auditor may find the results of the following procedures helpful in assessing the relevancy of internal audit activities: a. Considering knowledge from prior-year audits b. Reviewing how the internal auditors allocate their audit resources to financial or operating areas in response to their risk-assessment process c. Reading internal audit reports to obtain detailed information about the scope of internal audit activities [Revised, April 2002, to reflect conforming changes necessary due to the issuance of SAS No. 94. Revised, March 2006, to reflect conforming changes necessary due to the issuance of SAS No. 106.] 3 A1 Page 3 of 13

4 4 Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of.08 If, after obtaining an understanding of the internal audit function, the auditor concludes that the internal auditors' activities are not relevant to the financial statement audit, the auditor does not have to give further consideration to the internal audit function unless the auditor requests direct assistance from the internal auditors as described in.27. Even if some of the internal auditors' activities are relevant to the audit, the auditor may conclude that it would not be efficient to consider further the work of the internal auditors. If the auditor decides that it would be efficient to consider how the internal auditors' work might affect the nature, timing, and extent of audit procedures, the auditor should assess the competence and objectivity of the internal audit function in light of the intended effect of the internal auditors' work on the audit. Assessing the Competence and Objectivity of the Competence of the.09 When assessing the internal auditors' competence, the auditor should obtain or update information from prior years about such factors as educational level and professional experience of internal auditors. professional certification and continuing education. audit policies, programs, and procedures. practices regarding assignment of internal auditors. supervision and review of internal auditors' activities. quality of working-paper documentation, reports, and recommendations. evaluation of internal auditors' performance. Objectivity of the 3 14, A8.10 When assessing the internal auditors' objectivity, the auditor 14, A7 Page 4 of 13

5 5 should obtain or update information from prior years about such factors as the organizational status of the internal auditor responsible for the internal audit function, including whether the internal auditor reports to an officer of sufficient status to ensure broad audit coverage and adequate consideration of, and action on, the findings and recommendations of the internal auditors. whether the internal auditor has direct access and reports regularly to those charged with governance. whether those charged with governance oversee employment decisions related to the internal auditor. policies to maintain internal auditors' objectivity about the areas audited, including policies prohibiting internal auditors from auditing areas where relatives are employed in important or audit-sensitive positions. policies prohibiting internal auditors from auditing areas where they were recently assigned or are scheduled to be assigned on completion of responsibilities in the internal audit function. [Revised, April 2007, to reflect conforming changes necessary due to the issuance of SAS No. 114.] Assessing Competence and Objectivity.11 In assessing competence and objectivity, the auditor usually considers information obtained from previous experience with the A9 Page 5 of 13

6 6 Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of internal audit function, from discussions with management personnel, and from a recent external quality review, if performed, of the internal audit function's activities. The auditor may also use professional internal auditing standards fn 4 as criteria in making the assessment. The auditor also considers the need to test the effectiveness of the factors described in s The extent of such testing will vary in light of the intended effect of the internal auditors' work on the audit. If the auditor determines that the internal auditors are sufficiently competent and objective, the auditor should then consider how the internal auditors' work may affect the audit. Effect of the ' Work on the Audit.12 The internal auditors' work may affect the nature, timing, and extent of the audit, including procedures the auditor performs when obtaining an understanding of the entity's internal control (.13). procedures the auditor performs when assessing risk (s.14.16). substantive procedures the auditor performs (.17). When the work of the internal auditors is expected to affect the audit, the guidance in s should be followed for considering the extent of the effect, coordinating audit work with internal auditors, and evaluating and testing the effectiveness of internal auditors' work. Understanding of Internal Control.13 The auditor obtains a sufficient understanding of the design of controls relevant to the audit of financial statements to plan the audit and to determine whether they have been placed in operation. Since a primary objective of many internal audit functions is to review, assess, 7 6 Also addressed in s 14 and 24 of AU-C 315. Page 6 of 13

7 7 and monitor controls, the procedures performed by the internal auditors in this area may provide useful information to the auditor. For example, internal auditors may develop a flowchart of a new computerized sales and receivables system. The auditor may review the flowchart to obtain information about the design of the related controls. In addition, the auditor may consider the results of procedures performed by the internal auditors on related controls to obtain information about whether the controls have been placed in operation. [Revised, February 1997, to reflect conforming changes necessary due to the issuance of SAS No. 78.] Risk Assessment.14 The auditor assesses the risk of material misstatement at both the financial-statement level and the account-balance or class-of-transaction level. Addressed in AU-C Financial-Statement Level.15 At the financial-statement level, the auditor makes an overall assessment of the risk of material misstatement. When making this assessment, the auditor should recognize that certain controls may have a pervasive effect on many financial statement assertions. The control environment and accounting system often have a pervasive effect on a number of account balances and transaction classes and therefore can affect many assertions. The auditor's assessment of risk at the financialstatement level often affects the overall audit strategy. The entity's internal audit function may influence this overall assessment of risk as well as the auditor's resulting decisions concerning the nature, timing, and extent of auditing procedures to be performed. For example, if the internal auditors' plan includes relevant audit work at various locations, the auditor may coordinate work with the internal auditors (see.23) and reduce the number of the entity's locations at which Addressed in AU-C 315. Page 7 of 13

8 8 Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of the auditor would otherwise need to perform auditing procedures. Account-Balance or Class-of-Transaction Level.16 At the account-balance or class-of-transaction level, the auditor performs procedures to obtain and evaluate audit evidence concerning management's assertions. The auditor assesses control risk for each of the significant assertions and performs tests of controls to support assessments below the maximum. When planning and performing tests of controls, the auditor may consider the results of procedures planned or performed by the internal auditors. For example, the internal auditors' scope may include tests of controls for the completeness of accounts payable. The results of internal auditors' tests may provide appropriate information about the effectiveness of controls and change the nature, timing, and extent of testing the auditor would otherwise need to perform. [Revised, March 2006, to reflect conforming changes necessary due to the issuance of SAS No. 105.] Substantive Procedures.17 Some procedures performed by the internal auditors may provide direct evidence about material misstatements in assertions about specific account balances or classes of transactions. For example, the internal auditors, as part of their work, may confirm certain accounts receivable and observe certain physical inventories. The results of these procedures can provide evidence the auditor may consider in restricting detection risk for the related assertions. Consequently, the auditor may be able to change the timing of the confirmation procedures, the number of accounts receivable to be confirmed, or the number of locations of physical inventories to be observed. Extent of the Effect of the ' Work.18 Even though the internal auditors' work may affect the auditor's 10 A4 Addressed in AU-C 315. Page 8 of 13

9 9 procedures, the auditor should perform procedures to obtain sufficient appropriate audit evidence to support the auditor's report. Evidence obtained through the auditor's direct personal knowledge, including physical examination, observation, computation, and inspection, is generally more persuasive than information obtained indirectly. fn 5 [Revised, March 2006, to reflect conforming changes necessary due to the issuance of SAS No. 105.].19 The responsibility to report on the financial statements rests solely with the auditor. Unlike the situation in which the auditor uses the work of other independent auditors, fn 6 this responsibility cannot be shared with the internal auditors. Because the auditor has the ultimate responsibility to express an opinion on the financial statements, judgments about assessments of inherent and control risks, the materiality of misstatements, the sufficiency of tests performed, the evaluation of significant accounting estimates, and other matters affecting the auditor's report should always be those of the auditor..20 In making judgments about the extent of the effect of the internal auditors' work on the auditor's procedures, the auditor considers a. the materiality of financial statement amounts that is, account balances or classes of transactions. b. the risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial statement amounts. c. the degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. fn 7 As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity 10, fn 6 See section 600, Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors). [Footnote revised, October 2011, to reflect conforming changes necessary due to the issuance of SAS No. 122.] Page 9 of 13

10 10 Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of increases, the need for the auditor to perform his or her own tests of the assertions increases. As these factors decrease, the need for the auditor to perform his or her own tests of the assertions decreases..21 For assertions related to material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is high, the auditor should perform sufficient procedures to fulfill the responsibilities described in s In determining these procedures, the auditor gives consideration to the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions. However, for such assertions, the consideration of internal auditors' work cannot alone reduce audit risk to an acceptable level to eliminate the necessity to perform tests of those assertions directly by the auditor. Assertions about the valuation of assets and liabilities involving significant accounting estimates, and about the existence and disclosure of related-party transactions, contingencies, uncertainties, and subsequent events, are examples of assertions that might have a high risk of material misstatement or involve a high degree of subjectivity in the evaluation of audit evidence..22 On the other hand, for certain assertions related to less material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is low, the auditor may decide, after considering the circumstances and the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions, that audit risk has been reduced to an acceptable level and that testing of the assertions directly by the auditor may not be necessary. Assertions about the existence of cash, prepaid assets, and fixed-asset additions are examples of assertions that might have a low risk of material misstatement or involve a low degree of subjectivity in the evaluation of audit evidence Page 10 of 13

11 11 Coordination of the Audit Work With.23 If the work of the internal auditors is expected to have an effect on the auditor's procedures, it may be efficient for the auditor and the internal auditors to coordinate their work by holding periodic meetings. scheduling audit work. providing access to internal auditors' working papers. reviewing audit reports. discussing possible accounting and auditing issues. 21, 22, A26 Evaluating and Testing the Effectiveness of ' Work.24 The auditor should perform procedures to evaluate the quality and effectiveness of the internal auditors' work, as described in s that significantly affects the nature, timing, and extent of the auditor's procedures. The nature and extent of the procedures the auditor should perform when making this evaluation are a matter of judgment depending on the extent of the effect of the internal auditors' work on the auditor's procedures for significant account balances or classes of transactions..25 In developing the evaluation procedures, the auditor should consider such factors as whether the internal auditors' scope of work is appropriate to meet the objectives. audit programs are adequate. working papers adequately document work performed, including evidence of supervision and review. conclusions are appropriate in the circumstances. reports are consistent with the results of the work performed , A31 Page 11 of 13

12 12 Mapping Document AU Section 322 to Clarified Statement on Auditing Standards Using the Work of.26 In making the evaluation, the auditor should test some of the internal auditors' work related to the significant financial statement assertions. These tests may be accomplished by either (a) examining some of the controls, transactions, or balances that the internal auditors examined or (b) examining similar controls, transactions, or balances not actually examined by the internal auditors. In reaching conclusions about the internal auditors' work, the auditor should compare the results of his or her tests with the results of the internal auditors' work. The extent of this testing will depend on the circumstances and should be sufficient to enable the auditor to make an evaluation of the overall quality and effectiveness of the internal audit work being considered by the auditor. 24 Using to Provide Direct Assistance to the Auditor.27 In performing the audit, the auditor may request direct assistance from the internal auditors. This direct assistance relates to work the auditor specifically requests the internal auditors to perform to complete some aspect of the auditor's work. For example, internal auditors may assist the auditor in obtaining an understanding of internal control or in performing tests of controls or substantive tests, consistent with the guidance about the auditor's responsibility in s When direct assistance is provided, the auditor should assess the internal auditors' competence and objectivity (see s.09.11) and supervise, fn 8 review, evaluate, and test the work performed by internal auditors to the extent appropriate in the circumstances. The auditor should inform the internal auditors of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of audit procedures, such as possible accounting and auditing issues. The auditor should also inform the internal auditors that all significant accounting and auditing issues identified during the audit should be brought to the auditor's attention. 26, 28, 30, A41 Page 12 of 13

13 13 Effective Date 11 Appendix The Auditor's Consideration of the Internal Audit [chart] Page 13 of 13